PHP form to mail() security - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

PHP form to mail() security

comment form user input sanitation question

lavalamp

3:39 pm on Nov 13, 2004 (gmt 0)

10+ Year Member

I've seen numerous great resources here and elsewhere on the importance of "sanitizing" ALL user supplied data and that's what I'm trying to do. My problem is all the examples show something specific like using regex to check for a valid email or zip code, but what I can't find anything about is regular input text fields.

The conventional wisdom I understand is to whitelist what is safe instead of trying to figure out every possible bad input, which works great with such specific examples but it's hard to whitelist for example a comment form, where you can allow spaces, punctuation...etc. So what's a scared newbie to do?

I understand a lot of people say if you're going to redisplay the data to the browser you should do something like

htmlenties(stripslashes($comments))

but what about if I'm just taking the comments from a form and mailing it to myself? I'm especially worried about some kind of command injection because my webhost, unfortunately has register globals on.

anyway, sorry for such a long maiden post here, but I'm just feeling overwhelmed after on of my sites got hit with a crosssite scripting attack recently.

dreamcatcher

3:56 pm on Nov 13, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Welcome to Webmaster World lavalamp. :)

If you use plain text e-mail format as opposed to HTML format, I would think that this is a good enough security measure. HTML code would be rendered useless in this case.

If using HTML formatted e-mails, look at the strip_tags() [uk2.php.net] function which will remove any unwanted tags.

If you are posting to a database, other security measure are needed. Its unfortunate that there are people out there who get some kind of pleasure from upsetting other peoples work, but I`m afraid its a sad fact of life.

Were you worried about a certain kind of data from coming through?

lavalamp

4:17 pm on Nov 13, 2004 (gmt 0)

10+ Year Member

Thanks for the reply (and the welcome) dreamcatcher!

Thanks for the tip on the striptags, that makes sense as yes I'm just doing plain text email.

As far as what I'm worried about, it's more of a general not wanting to leave some big stupid hole open. I guess one thing that I'm concerned about is just what the best way to filter freeform text input is for example in my php if I do something like:

$subject = $_POST['comments'];

...where 'comments' was input text from my web form
...and then later I use the the $subject variable in the mail() function...

if someone uses metacharacters to enter some actual nasty php code will it just not get run because I'm not displaying it back in a browser or would it run as the variable is assigned? I guess I mean should I be filtering the backtick and stuff like that? my inexperience and new-found paranoia is showing here I guess....

lavalamp

4:20 pm on Nov 13, 2004 (gmt 0)

10+ Year Member

...and the other thing raising my paranoia level is that my web host has register_globals ON and safe_mode OFF, and since php runs as a cgi binary I can't change those settings in an .htaccess file.

:(

dreamcatcher

12:05 am on Nov 14, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Not sure if this may help:

http://uk.php.net/manual/en/security.registerglobals.php [uk.php.net]